Chapter 12: Network Security

Objectives

Identify security risks in LANs and WANs and design security policies that minimize risks

Explain how physical security contributes to network security

Discuss hardware- and design-based security techniques

Understand methods of encryption, such as SSL and IPSec, that can secure data in storage and in transit

Describe how popular authentication protocols, such as RADIUS, TACACS, Kerberos, PAP, CHAP, and MS-CHAP, function

Use network operating system techniques to provide basic security

Understand wireless security protocols, such as WEP, WPA, and 802.11i

Security Audits

Examine network’s security risks

 Consider effects

Different organization types

 Different network security risk levels

Security audit

 Thorough network examination

Determine possible compromise points

 Performed in-house

By IT staff

 Performed by third party

Security Risks

Security Risks

Recognize network threats

Breaches caused by:

 Network technology manipulation

 Careless or malicious insiders

 Undeveloped security policies

Security threat considerations

 How to prevent

 How it applies to your network

 How it relates to other security threats

Risks Associated with People

Half of all security breaches

 Human errors, ignorance, omissions

Social engineering

 Strategy to gain password

 Phishing

Getting access, authentication information
Pose as someone needing information
Usually with a deceptive email

Phishing IQ Test

Link Ch 12a

Risks Associated with People

Attackers using social engineering or snooping to obtain passwords

Administrator incorrectly assigning user IDs and rights

Administrators overlooking security flaws

Lack of proper documentation or communication of security policies

Dishonest or disgruntled employees

Unused computers left on and connected to the network

Users choosing easily-guessed passwords

Computer room doors left open or unlocked

Discarding disks, tapes, or manuals in public trash containers

Administrators neglecting to remove accounts for employees who have left the organizations

Users posting passwords in public places, like Post-it notes, or telling other users their passwords

Risks Associated with Transmission and Hardware

Physical, Data Link, Network layer security risks

 Require more technical sophistication

Risks inherent in network hardware and design

 Transmission interception

Man-in-the-middle attack

 Eavesdropping

Networks connecting to Internet via leased public lines

 Sniffing

Network hubs broadcasting traffic over entire segment

Unused hub, switch, router, server physical ports not secured

Software ports not secured, can be found with a port scanner like nmap

Router attack

 Routers not configured to drop suspicious packets

Dial-in security holes

 Modems accept incoming calls

 Dial-in access servers not secured, monitored

General public computer access may be on same network as computers hosting sensitive data

Insecure passwords for routers, switches, and other network hardware

 Easily guessable, default values

Risks Associated with Protocols and Software

This list includes Transport, Session, Presentation, and Application layers

Networking protocols and software risks

 TCP/IP security flaws

 Trust relationships between servers

 NOS back doors, security flaws

 NOS allows server operators to exit to command prompt

 Administrators default security options

 Transactions between applications interceptable

Risks Associated with Internet Access

Network security compromise

 More often “from the inside”

Outside threats still very real

 Web browsers permit scripts to access systems

 Users providing information to sites

Common Internet-related security issues

Improperly configured firewall

 Outsiders obtain internal IP addresses: IP spoofing

Telnets or FTP

 Transmit user ID, password in plain text

Newsgroups, mailing lists, forms

 Provide hackers user information

Chat session flashing

Denial-of-service attack

 Floods a network with useless traffic

An Effective Security Policy

An Effective Security Policy

Minimizes break-in risk

 Communicates with and manages users

Security policy

 Identifies security goals, risks, authority levels, designated security coordinator, and team members

Team member and employee responsibilities

 Specifies how to address security breaches

Not included in policy:

 Hardware, software, architecture, and protocols

 How hardware and software is installed and configured

Security Policy Goals

Ensure authorized users have appropriate resource access

Prevent unauthorized user access

Protect unauthorized sensitive data access

 Inside and outside

Prevent accidental hardware and software damage

Prevent intentional hardware or software damage

Create secure environment

 Withstand, respond to, and recover from threat

Communicate employee’s responsibilities

Strategy

 Form committee

Involve as many decision makers as possible
Assign security coordinator to drive policy creation

 Understand risks

Conduct security audit

 Address threats

Security Policy Content

Password policy

Software installation policy

Confidential and sensitive data policy

Network access policy

Email use policy

Internet use policy

Modem and remote access policy

Policies for laptops and loaner machines

Computer room access policy

And more…

Security Policy Content

Explain to users:

 What they can and cannot do

 How measures protect network’s security

User communication

 Security newsletter

 User security policy section

Define what "confidential" means to the organization

Response Policy

Security breach occurrence

 Provide planned response

Identify response team members

 Understand security policy, risks, measures in place

 Accept role with certain responsibilities

 Regularly rehearse defense

Security threat drill

Suggested team roles

 Dispatcher

Person on call, first notices, alerted to problem

 Manager

Coordinates resources

 Technical support specialist

One focus: solve problem quickly

 Public relations specialist

Official spokesperson to public

After problem resolution

 Review process

Physical Security

Physical Security

Restricting physical access network components

 At minimum

Only authorized personnel can access computer room

Consider compromise points

 Wiring closet switches, unattended workstation, equipment room, entrance facility, and storage room

Locks: physical, electronic

 Electronic access badges

 Locks requiring entrants to punch numeric code

 Bio-recognition access--like iris pattern or fingerprint

Physical barriers

 Gates, fences, walls, and landscaping

Closed-circuit TV systems monitor secured rooms

Surveillance cameras

 Computer rooms, Telco rooms, supply rooms, data storage areas, and facility entrances

 Central security office

Display several camera views at once

Switch from camera to camera

 Video footage for investigation and prosecution

Security audit

 Ask questions related to physical security checks

Consider losses from salvaged and discarded computers

 Hard disk information stolen

 Solution

Run specialized disk sanitizer program

Remove disk and use magnetic hard disk eraser

Pulverize or melt disk

Security in Network Design

Security in Network Design

Breaches may occur due to poor LAN or WAN design

 Address though intelligent network design

Preventing external LAN security breaches

 Optimal solution

Do not connect to outside world

 Realistic solution

Restrict access at every point where LAN connects to outside world

Router Access Lists

Control traffic through routers

Routers main function

 Examine packets, determine where to send

Based on Network layer addressing information

ACL (access control list)

 Known as access list

 Routers decline to forward certain packets

ACL instructs router

 Permit or deny traffic according to variables:

Network layer protocol (IP, ICMP)

Transport layer protocol (TCP, UDP)

Source IP address

Destination IP address

TCP, UDP port number

Router receives packet, examines packet

 Refers to ACL for permit, deny criteria

 Drops packet if characteristics match

Flagged as deny

Access list statements

 Deny all traffic from certain source addresses

 Deny all traffic destined for TCP port 23

Separate ACL’s for:

 Interfaces

 Inbound and outbound traffic

Intrusion Detection and Prevention

Provides more proactive security measure

 Detecting suspicious network activity

IDS (intrusion detection system)

 Software monitoring traffic

On dedicated IDS device

On another device performing other functions

 Port mirroring

 Detects many suspicious traffic patterns

Denial-of-service, smurf attacks

DMZ (demilitarized zone)

 Network’s protective perimeter

 IDS sensors installed at network edges

IDS at DMZ drawback

 Number of false positives logged

IDS can only detect and log suspicious activity

IDS Example: Snort

IPS (intrusion-prevention system)

 Reacts to suspicious activity

When alerted

 Detect threat and prevent traffic from flowing to network

Based on originating IP address

 Compared to firewalls

IPS originally designed as more comprehensive traffic analysis, protection tool

Differences now diminished

Firewalls

Specialized device and computer installed with specialized software

 Selectively filters, blocks traffic between networks

 Involves hardware, software combination

 Resides

Between two interconnected private networks

Between private network and public network

Network-based firewall

 Protects a whole network

Host-based firewall

 Protects one computer

Packet-filtering firewall (screening firewall)

 Simplest firewall

 Blocks traffic into LAN

Examines header

 Blocks traffic attempting to exit LAN

Stops spread of worms

Firewall default configuration

 Block most common security threats

Preconfigured to accept, deny certain traffic types

 Network administrators often customize settings

Common packet-filtering firewall criteria

 Source, destination IP addresses

 Source, destination ports

 Flags set in the IP header

 Transmissions using UDP or ICMP protocols

 Packet’s status as first packet in new data stream, subsequent packet

 Packet’s status as inbound to, outbound from private network

Port blocking

 Prevents connection to and transmission completion through ports

Firewall may have more complex functions

 Encryption

 User authentication

 Central management

 Easy rule establishment

 Filtering

Content-filtering firewalls, layer 7 firewalls, deep packet inspection

 Logging, auditing capabilities

 Protect internal LAN’s address identity

 Monitor data stream from end to end

Yes: stateful firewall

If not: stateless firewall

Tailor firewall to needs

 Consider traffic to filter (takes time)

 Consider exceptions to rules

Cannot distinguish user trying to breach firewall and authorized user

Proxy Servers

Proxy service

 Network host software application

Intermediary between external, internal networks

Screens all incoming and outgoing traffic

Proxy server

 Network host running proxy service

 Application layer gateway, application gateway, and proxy

 Manages security at Application layer

Fundamental functions

 Prevent outside world from discovering internal network the addresses

Improves performance

 Caching files

Examples

 Squid on Linux

 Microsoft Internet Security and Acceleration (ISA) Server

NOS (Network Operating System) Security

NOS (Network Operating System) Security

Restrict user authorization

 Access to server files and directories

 Public rights

Conferred to all users

Very limited

 Group users according to security levels

Assign additional rights

Logon Restrictions

Additional restrictions

 Time of day

 Total time logged on

 Source address

 Unsuccessful logon attempts

Passwords

Choosing secure password

 Guards against unauthorized access

 Easy, inexpensive

Communicate password guidelines

 Use security policy

 Emphasize company financial, personnel data safety

Do not back down

Tips

 Change system default passwords

 Do not use familiar information or dictionary words

Dictionary attack

 Use long passwords

Letters, numbers, special characters

 Do not write down or share

 Change frequently

 Do not reuse

 Use different passwords for different applications

Password Managers

Save your passwords in an encrypted database

Much safer than reusing passwords, or remembering some series of passwords

Free password managers

 KeePass

 Password Safe

Encryption

Encryption

Use of algorithm to scramble and unscramble data

Purpose

 Information privacy

Many encryption forms exist

Last means of defense against data theft

Provides three assurances

 Data not modified after sender transmitted it

Before receiver picked it up

 Data viewed only by intended recipient

 All data received at intended destination:

Truly issued by stated sender

Not forged by intruder

Key Encryption

Popular encryption

 Weaves key into original data’s bits

Generates unique data block

Key

 Random string of characters

 Longer key is better

Ciphertext

 Scrambled data block

Brute force attack

 Attempt to discover key

Trying numerous possible character combinations

Private Key Encryption

Data encrypted using single key

 Known by sender and receiver

Symmetric encryption

 Same key used during both encryption and decryption

DES (Data Encryption Standard)

 Most popular private key encryption

 IBM developed (1970s)

 56-bit key: secure at the time

Triple DES

 Weaves 56-bit key three times

AES (Advanced Encryption Standard)

 Weaves 128, 160, 192, 256 bit keys through data multiple times

 Uses Rijndael algorithm

More secure than DES

Much faster than Triple DES

 Replaced DES in high security level situations

Private key encryption drawback

 Sender must somehow share key with recipient

Public Key Encryption

Data encrypted using two keys

 Private key: user knows

 Public key: anyone may request

Public key server

 Publicly accessible host

 Freely provides users’ public keys

Key pair

 Combination of public key and private key

Asymmetric encryption

 Requires two different keys

Diffie-Hellman (1975)

 First public key algorithm

RSA

 Most popular

 Key creation

Choose two large prime numbers, multiplying together

 May be used in conjunction with RC4

Weaves key with data multiple times, as computer issues data stream

RC4

 Key up to 2048 bits long

 Highly secure, fast

 E-mail, browser program use

Lotus Notes, Netscape

Digital certificate

 Password-protected, encrypted file

 Holds identification information

Public key

CA (certificate authority)

 Issues, maintains digital certificates

 Example: Verisign

PKI (public key infrastructure)

 Use of certificate authorities to associate public keys with certain users

PGP (Pretty Good Privacy)

Secures e-mail transmissions

Developed by Phil Zimmerman (1990s)

Public key encryption system

 Verifies e-mail sender authenticity

 Encrypts e-mail data in transmission

Administered at MIT

Freely available

 Open source and proprietary

Also used to encrypt storage device data

SSL (Secure Sockets Layer)

Encrypts TCP/IP transmissions

 Web pages, Web form data entered into Web forms

En route between client and server

 Using Public key encryption technology

Web pages using HTTPS

 HTTP over Secure Sockets Layer, HTTP Secure

 Data transferred from server to client (vice versa)

Using SSL encryption

HTTPS uses TCP port 443

SSL session

 Association between client and server

Defined by agreement

Specific set of encryption techniques

 Created by SSL handshake protocol

 Handshake protocol

Allows client and server to authenticate

SSL

 Netscape originally developed it

 IETF attempted to standardize

TLS (Transport Layer Security) protocol

SSH (Secure Shell)

Collection of protocols

Provides Telnet capabilities with security

Guards against security threats

 Unauthorized host access

 IP spoofing

 Interception of data in transit

 DNS spoofing

Encryption algorithm (depends on version)

 DES, Triple DES, RSA, Kerberos

Developed by SSH Communications Security

 Version requires license fee

Open source versions available: OpenSSH

Secure connection requires SSH running on both machines

Requires public and private key generation

Highly configurable

 Use one of several encryption types

 Require client password

 Perform port forwarding

SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol)

SCP (Secure CoPy) utility

 Extension to OpenSSH

 Allows copying of files from one host to another securely

 Replaces insecure file copy protocols (FTP)

Does not encrypt user names, passwords, data

UNIX, Linux, and Macintosh OS X operating systems

 Include SCP utility

Freeware SSH programs available for Windows

 May requires freeware SCP applications: WinSCP

SCP simple to use

Proprietary SSH version (SSH Communications Security)

 Requires SFTP (Secure File Transfer Protocol) to copy files

Slightly different from SCP (does more than copy files)

IPSec (Internet Protocol Security)

Defines encryption, authentication, key management

 For TCP/IP transmissions

Enhancement to IPv4

Native IPv6 standard

Difference from other methods

 Encrypts data

By adding security information to all IP packet headers

 Transforms data packets

 Operates at Network layer (Layer 3)

Two phase authentication

 First phase: key management

Way two nodes agree on common parameters for key use

IKE (Internet Key Exchange) runs on UDP port 500

 Second phase: encryption

AH (authentication header)

ESP (Encapsulating Security Payload)

Used with any TCP/IP transmission

 Most commonly

Routers, connectivity devices in VPN context

VPN concentrator

 Specialized device

Positioned at the edge of the private network

Establishes VPN connections

 Authenticates VPN clients

 Establish tunnels for VPN connections

Authentication Protocols

Authentication Protocols

Authentication

 Process of verifying a user’s credentials

Grant user access to secured resources

Authentication protocols

 Rules computers follow to accomplish authentication

Several authentication protocol types

 Vary by encryption scheme

 Steps taken to verify credentials

RADIUS and TACACS

Used when many users are making simultaneous dial-up connections

 Manages user IDs and passwords

Defined by IETF

Runs over UDP

Provides centralized network authentication, accounting for multiple users

RADIUS server

 Does not replace functions performed by remote access server